Deploying IPv6, now(PPT)

Deploying IPv6, NowDeploying IPv6, Now

Christian HuitemaChristian HuitemaArchitect Architect Windows Networking & CommunicationsWindows Networking & CommunicationsMicrosoft CorporationMicrosoft Corporation

©1985-2001 Microsoft Corporation

AgendaAgenda

The Opportunity The Opportunity Key ProblemsKey Problems The Promise of IPv6The Promise of IPv6 What is Microsoft doingWhat is Microsoft doing Call to ActionCall to Action


The OpportunityThe Opportunity

Charles Fitzgerald

Development


Key ProblemsKey ProblemsAddress ShortageAddress Shortage

Extrapolating the number of DNS registered addresses shows total exhaustion in 2009. But the practical maximum is about 240 M addresses, in 2002-2003.

1

10

100

1000

10000

S-96 S-97 S-98 S-99 S-00 S-01 S-02 S-03 S-04 S-05 S-06 S-07 S-08 S-09


Key ProblemsKey ProblemsAddress ShortageAddress Shortage Peer to Peer applications requirePeer to Peer applications require

• Addressability of each end pointAddressability of each end point

• Unconstrained inbound and outbound trafficUnconstrained inbound and outbound traffic

• Direct communication between end points using Direct communication between end points using multiple concurrent protocolsmultiple concurrent protocols

NATs are a band-aid to address shortageNATs are a band-aid to address shortage• Block inbound traffic on listening ports Block inbound traffic on listening ports

• Constrain traffic to “understood” protocolsConstrain traffic to “understood” protocols

• Create huge barrier to deployment of P2P Create huge barrier to deployment of P2P applicationsapplications


Key ProblemsKey ProblemsLack of MobilityLack of Mobility Existing applications and networking Existing applications and networking

protocols do not work with changing IP protocols do not work with changing IP addressesaddresses• Applications do not “reconnect” when a new IP Applications do not “reconnect” when a new IP

address appearsaddress appears

• TCP drops session when IP address changesTCP drops session when IP address changes

• IPSEC hashes across IP addresses, changing IPSEC hashes across IP addresses, changing address breaks the Security Associationaddress breaks the Security Association

Mobile IPv4 solution is not deployableMobile IPv4 solution is not deployable• Foreign agent reliance not realisticForeign agent reliance not realistic

• NATs and Mobile IPv4? Just say NONATs and Mobile IPv4? Just say NO


Key ProblemsKey ProblemsNetwork SecurityNetwork Security

Always On == Always attacked!Always On == Always attacked!• Consumers deploying NATs and Personal FirewallsConsumers deploying NATs and Personal Firewalls• Enterprises deploying Network FirewallsEnterprises deploying Network Firewalls

NATs and Network Firewalls break end-to-end NATs and Network Firewalls break end-to-end semanticssemantics• Barrier to deploying Peer to Peer applicationsBarrier to deploying Peer to Peer applications• Barrier to deploying new protocolsBarrier to deploying new protocols• Block end-to-end, authorized, tamper-proof, private Block end-to-end, authorized, tamper-proof, private

communicationcommunication No mechanisms for privacy at the network layerNo mechanisms for privacy at the network layer

• IP addresses expose information about the userIP addresses expose information about the user No transparent way to restrict communication within No transparent way to restrict communication within

network boundariesnetwork boundaries


The Promise of IPv6The Promise of IPv6

Enough addressesEnough addresses• 64+64 format: 1.8E+19 networks, units64+64 format: 1.8E+19 networks, units• assuming IPv4 efficiency: 1E+16 networks, 1 assuming IPv4 efficiency: 1E+16 networks, 1

million networks per humanmillion networks per human• 20 networks per m2 of Earth (2 per sqft )20 networks per m2 of Earth (2 per sqft )• Removes need to stretch addresses with NATsRemoves need to stretch addresses with NATs

True mobilityTrue mobility• No reliance on Foreign AgentsNo reliance on Foreign Agents

Better network layer securityBetter network layer security• IPSec delivers end-to-end securityIPSec delivers end-to-end security• Link/Site Local addresses allow partitioningLink/Site Local addresses allow partitioning• Anonymous addresses provide privacyAnonymous addresses provide privacy


The Promise of IPv6The Promise of IPv6Example: Example: Multiparty Conference, using IPv6Multiparty Conference, using IPv6

With a NAT:With a NAT:• Brittle “workaround”.Brittle “workaround”.

With IPv6:With IPv6:• Just use IPv6 addressesJust use IPv6 addresses

P1 P2

P3Home LAN InternetHome

Gateway Home LANHomeGateway


The Promise of IPv6The Promise of IPv6If IPv6 is so great, how come it If IPv6 is so great, how come it is not there yet?is not there yet? ApplicationsApplications

• Need upfront Need upfront investment, investment, stacks, etc.stacks, etc.

• Similar to Y2K, 32 Similar to Y2K, 32 bit vs. “clean bit vs. “clean address type”address type”

NetworkNetwork• Need to ramp-up Need to ramp-up

investmentinvestment

• No “push-button” No “push-button” transitiontransition

networksnetworks

applicationsapplications


What is Microsoft doingWhat is Microsoft doing

Building a complete IPv6 stack in WindowsBuilding a complete IPv6 stack in Windows• Technology Preview stack in Win2000Technology Preview stack in Win2000

• Developer stack in Windows XPDeveloper stack in Windows XP

• Deployable stack in .NET Server & update for Deployable stack in .NET Server & update for Windows XPWindows XP

• Windows CE plannedWindows CE planned

Supporting IPv6 with key applications Supporting IPv6 with key applications protocolsprotocols• File sharing, Web (IIS, IE), Games (DPlay), Peer to File sharing, Web (IIS, IE), Games (DPlay), Peer to

Peer platform, UPnPPeer platform, UPnP

Building v4->v6 transition strategiesBuilding v4->v6 transition strategies• Scenario focused tool-boxScenario focused tool-box


What is Microsoft doingWhat is Microsoft doingIPv6 deployment tool-boxIPv6 deployment tool-box

IPv6 stateless address auto-configurationIPv6 stateless address auto-configuration• Router announces a prefix, client configures an Router announces a prefix, client configures an

addressaddress

6to4: Automatic tunneling of IPv6 over IPv46to4: Automatic tunneling of IPv6 over IPv4• Derives IPv6 /48 network prefix from IPv4 global Derives IPv6 /48 network prefix from IPv4 global

address address

Automatic tunneling of IPv6 over UDP/IPv4Automatic tunneling of IPv6 over UDP/IPv4• Works through NAT, may be blocked by firewallsWorks through NAT, may be blocked by firewalls

ISATAP: Automatic tunneling of IPv6 over IPv4ISATAP: Automatic tunneling of IPv6 over IPv4• For use behind a firewall.For use behind a firewall.


What is Microsoft doingWhat is Microsoft doingRecommended StrategiesRecommended Strategies In the homeIn the home

• Use IPv6 if available,Use IPv6 if available,

• Or use 6to4 if global IPv4 address,Or use 6to4 if global IPv4 address,

• Or use IPv6 over UDPOr use IPv6 over UDP

In the enterpriseIn the enterprise• Use IPv6 ISP or 6to4 for external access,Use IPv6 ISP or 6to4 for external access,

• Use ISATAP while upgrading the networkUse ISATAP while upgrading the network


What is Microsoft doingWhat is Microsoft doingAddressing hard problemsAddressing hard problems Domain Names and IPv6 have issuesDomain Names and IPv6 have issues

• Peer to Peer applications require dynamic Peer to Peer applications require dynamic registration of IPv6 addressregistration of IPv6 address

• DDNS is hard to deploy securely on the internetDDNS is hard to deploy securely on the internet

• Workarounds require building alternate Workarounds require building alternate namespaces or avoiding names altogethernamespaces or avoiding names altogether

Ease of use is a Ease of use is a mustmust• Need an easy way to get Mobile IPv6 addresses Need an easy way to get Mobile IPv6 addresses

• Need an easy way to resolve names in a IPv6 Ad-Need an easy way to resolve names in a IPv6 Ad-hoc network (DNS Server not reachable)hoc network (DNS Server not reachable)


In SummaryIn Summary… We Build Together… We Build Together Microsoft is moving quickly to enable Microsoft is moving quickly to enable

Windows platforms for IPv6Windows platforms for IPv6• Up to date information on:Up to date information on:

http://www.microsoft.com/ipv6/http://www.microsoft.com/ipv6/

• Send us feedback and requirementsSend us feedback and requirements

mailto:[email protected]:[email protected]

We need We need youryour help to move the world to a help to move the world to a simple ubiquitous network based on IPv6simple ubiquitous network based on IPv6

http://www.microsoft.com/ipv6/

mailto:[email protected]


Call to ActionCall to Action

Network Providers: Build it and they will Network Providers: Build it and they will comecome• Do not settle for NATs for new designsDo not settle for NATs for new designs• Demand IPv6 support on all equipmentDemand IPv6 support on all equipment• Offer native IPv6 servicesOffer native IPv6 services

Device Vendors: Design for the simpler, Device Vendors: Design for the simpler, ubiquitous IPv6 internetubiquitous IPv6 internet

Application Writers: Don’t wait on the Application Writers: Don’t wait on the aboveabove• Use Windows XP and Windows .NET Server Use Windows XP and Windows .NET Server

NOW!NOW!

Microsoft VisionMicrosoft Vision

Empower peopleEmpower people

through great software through great software

anytime, anyplace,anytime, anyplace,

and and on any deviceon any device


Background Material Background Material


6to4: tunnel IPv6 over IPv46to4: tunnel IPv6 over IPv4

6to4 router derive IPv6 prefix from IPv4 address, 6to4 router derive IPv6 prefix from IPv4 address, 6to4 relays advertise reachability of prefix 2002::/16 6to4 relays advertise reachability of prefix 2002::/16 Automatic tunneling from 6to4 routers or relaysAutomatic tunneling from 6to4 routers or relays Single address (192.88.99.1) for all relaysSingle address (192.88.99.1) for all relays

IPv4 Internet

6to4-A

6to4-B

Relay

Native IPv6

Relay

C

B

A

1.2.3.4

5.6.7.8

192.88.99.1

192.88.99.1

3001:2:3:4:c…

2002:506:708::b…

2002:102:304::b…


ISATAP: IPv6 behind ISATAP: IPv6 behind firewallfirewall

ISATAP router ISATAP router provides IPv6 prefixprovides IPv6 prefix

Host complements Host complements prefix with IPv4 prefix with IPv4 addressaddress

Direct tunneling Direct tunneling between ISATAP between ISATAP hosts hosts

Relay through Relay through ISATAP router to ISATAP router to IPv6 local or globalIPv6 local or global

Firewalled IPv4

network

IPv4 FW

A

Local “native” IPv6

network

IPv6 FW

ISATAP

B

IPv6Internet

C

D

IPv4Internet


IPv6 over UDP through NATIPv6 over UDP through NAT

IPv6 / UDPIPv6 / UDP• IPv6 prefix: IP address IPv6 prefix: IP address

& UDP port& UDP port

ServersServers• Address discoveryAddress discovery

• Default “route”Default “route”

• Enable “shortcut” (A-Enable “shortcut” (A-B)B)

RelaysRelays• Send IPv6 packets Send IPv6 packets

directly to nodesdirectly to nodes

Works for Works for allall NAT NAT

NAT

B

Server

IPv4 Internet

IPv6 Internet

Relay

C

A

NAT

Deploying IPv6, now(PPT)

Documents

Transcript of Deploying IPv6, now(PPT)